Administrators Authenticating to Another Microsoft Entra ID Tenant

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Detects when a privileged user account successfully authenticates from to another Microsoft Entra ID Tenant. Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	3a0447c1-7f43-43d0-aeac-d5e1247964a8
Tactics	InitialAccess
Techniques	T1078.004
Required Connectors	AzureActiveDirectory, BehaviorAnalytics
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
IdentityInfo	✓	✗	?
SigninLogs	✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID

Solutions: Microsoft Entra ID

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries